There are some very good reasons to check a file's mime type. For one thing, if you send a user an executable when you meant to send them a jpg, and that executable unleashes a virus, that is no good. Not only will noone visit your site if they know you are a source of viruses, you may get sued for damages. (Computers are expensive!)
Everything depends on how the file is used. If, for instance, the only person who will be downloading or handling the file will be the person who uploaded it, everything should be fine. (NObody's going to infect / r00t their own computer intentionally). But let's say you run the file yourself. In that case, that file can hurt your server. So basically, if you don't check your files scrupulously a hacker can and will do something evil. -Dan On Mon, 2003-07-14 at 00:24, Gerard Samuel wrote: > Gerard Samuel wrote: > > >> A client-supplied value isn't going to be too useful - it can be > >> spoofed, or > >> may not be present. (I believe a Windows browser would set the mime-type > >> based purely on the file extension, though I haven't tested this > >> myself). > >> > > > > Then my apologies. I thought php determined the file type on upload, > > and not rely on user input as your're saying. > > Makes me rethink some of my own code :) > > Looking for opinions. Can a spoofed uploaded file hurt a script or a > webserver?? > Reason why Im asking is because, I looked over the magic.mime file on my > server, and I see that it > doesn't support flash files (I may be wrong), of which I currently allow > flash files to be uploaded. > So who knows what else it may not support. > I guess, can it really be bad for your script, your server, and/or your > health?? > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
